Require vault to run as non root (#80)
* Require vault to run as non root * Fix unit tests * Make uid/gid configurable, remove home emptydir
This commit is contained in:
Jason O'Donnell
GitHub
parent
f7aa2576d0
commit
b41d36c621
7 changed files with 223 additions and 89 deletions
|
|
@ -13,9 +13,7 @@ metadata:
|
|||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
data:
|
||||
extraconfig-from-values.hcl: |-
|
||||
{{- if eq (.Values.server.mlock.enabled | toString) "false" }}
|
||||
disable_mlock = true
|
||||
{{- end }}
|
||||
{{- if eq .mode "standalone" }}
|
||||
{{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
|
||||
{{- else if eq .mode "ha" }}
|
||||
|
|
|
|||
|
|
@ -41,17 +41,19 @@ spec:
|
|||
terminationGracePeriodSeconds: 10
|
||||
serviceAccountName: {{ template "vault.fullname" . }}
|
||||
securityContext:
|
||||
fsGroup: 1000
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsGroup: {{ .Values.server.gid | default 1000 }}
|
||||
runAsUser: {{ .Values.server.uid | default 100 }}
|
||||
fsGroup: {{ .Values.server.gid | default 1000 }}
|
||||
volumes:
|
||||
{{ template "vault.volumes" . }}
|
||||
containers:
|
||||
- name: vault
|
||||
{{ template "vault.resources" . }}
|
||||
{{- if eq (.Values.server.mlock.enabled | toString) "true" }}
|
||||
securityContext:
|
||||
capabilities:
|
||||
add: ["IPC_LOCK"]
|
||||
{{- end }}
|
||||
image: "{{ .Values.global.image }}"
|
||||
command: {{ template "vault.command" . }}
|
||||
args: {{ template "vault.args" . }}
|
||||
|
|
@ -70,10 +72,8 @@ spec:
|
|||
value: "{{ include "vault.scheme" . }}://$(POD_IP):8200"
|
||||
- name: SKIP_CHOWN
|
||||
value: "true"
|
||||
{{- if eq (.Values.server.mlock.enabled | toString) "false" }}
|
||||
- name: SKIP_SETCAP
|
||||
value: "true"
|
||||
{{- end }}
|
||||
{{ template "vault.envs" . }}
|
||||
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
|
||||
{{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
|
||||
|
|
|
|||
|
|
@ -82,52 +82,3 @@ load _helpers
|
|||
yq '.data["extraconfig-from-values.hcl"] | match("bar") | length' | tee /dev/stderr)
|
||||
[ ! -z "${actual}" ]
|
||||
}
|
||||
|
||||
@test "server/ConfigMap: mlock by default" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-config-configmap.yaml \
|
||||
. | tee /dev/stderr |
|
||||
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock") | not)' | tee /dev/stderr)
|
||||
[ -z "${actual}" ]
|
||||
|
||||
local actual=$(helm template \
|
||||
-x templates/server-config-configmap.yaml \
|
||||
--set 'server.standalone.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock") | not)' | tee /dev/stderr)
|
||||
[ -z "${actual}" ]
|
||||
|
||||
local actual=$(helm template \
|
||||
-x templates/server-config-configmap.yaml \
|
||||
--set 'server.ha.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock") | not)' | tee /dev/stderr)
|
||||
[ -z "${actual}" ]
|
||||
}
|
||||
|
||||
@test "server/ConfigMap: disable mlock" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-config-configmap.yaml \
|
||||
--set 'server.mlock.enabled=false' \
|
||||
. | tee /dev/stderr |
|
||||
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock")' | tee /dev/stderr)
|
||||
[ ! -z "${actual}" ]
|
||||
|
||||
local actual=$(helm template \
|
||||
-x templates/server-config-configmap.yaml \
|
||||
--set 'server.mlock.enabled=false' \
|
||||
--set 'server.standalone.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock")' | tee /dev/stderr)
|
||||
[ ! -z "${actual}" ]
|
||||
|
||||
local actual=$(helm template \
|
||||
-x templates/server-config-configmap.yaml \
|
||||
--set 'server.mlock.enabled=false' \
|
||||
--set 'server.ha.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock")' | tee /dev/stderr)
|
||||
[ ! -z "${actual}" ]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -224,19 +224,19 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[6].name' | tee /dev/stderr)
|
||||
yq -r '.[7].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "FOO" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[6].value' | tee /dev/stderr)
|
||||
yq -r '.[7].value' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[7].name' | tee /dev/stderr)
|
||||
yq -r '.[8].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "FOOBAR" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[7].value' | tee /dev/stderr)
|
||||
yq -r '.[8].value' | tee /dev/stderr)
|
||||
[ "${actual}" = "foobar" ]
|
||||
}
|
||||
|
||||
|
|
@ -257,23 +257,23 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[5].name' | tee /dev/stderr)
|
||||
yq -r '.[6].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "ENV_FOO_0" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[5].valueFrom.secretKeyRef.name' | tee /dev/stderr)
|
||||
yq -r '.[6].valueFrom.secretKeyRef.name' | tee /dev/stderr)
|
||||
[ "${actual}" = "secret_name_0" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[5].valueFrom.secretKeyRef.key' | tee /dev/stderr)
|
||||
yq -r '.[6].valueFrom.secretKeyRef.key' | tee /dev/stderr)
|
||||
[ "${actual}" = "secret_key_0" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[6].name' | tee /dev/stderr)
|
||||
yq -r '.[7].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "ENV_FOO_1" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[6].valueFrom.secretKeyRef.name' | tee /dev/stderr)
|
||||
yq -r '.[7].valueFrom.secretKeyRef.name' | tee /dev/stderr)
|
||||
[ "${actual}" = "secret_name_1" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[6].valueFrom.secretKeyRef.key' | tee /dev/stderr)
|
||||
yq -r '.[7].valueFrom.secretKeyRef.key' | tee /dev/stderr)
|
||||
[ "${actual}" = "secret_key_1" ]
|
||||
}
|
||||
|
||||
|
|
@ -311,3 +311,68 @@ load _helpers
|
|||
yq -r '.spec.volumeClaimTemplates' | tee /dev/stderr)
|
||||
[ "${actual}" = "null" ]
|
||||
}
|
||||
|
||||
#--------------------------------------------------------------------
|
||||
# Security Contexts
|
||||
@test "server/standalone-StatefulSet: uid default" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-statefulset.yaml \
|
||||
--set 'server.dev.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
|
||||
[ "${actual}" = "100" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: uid configurable" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-statefulset.yaml \
|
||||
--set 'server.uid=2000' \
|
||||
--set 'server.dev.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
|
||||
[ "${actual}" = "2000" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: gid default" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-statefulset.yaml \
|
||||
--set 'server.dev.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
|
||||
[ "${actual}" = "1000" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: gid configurable" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-statefulset.yaml \
|
||||
--set 'server.gid=2000' \
|
||||
--set 'server.dev.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
|
||||
[ "${actual}" = "2000" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: fsgroup default" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-statefulset.yaml \
|
||||
--set 'server.dev.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
|
||||
[ "${actual}" = "1000" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: fsgroup configurable" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-statefulset.yaml \
|
||||
--set 'server.gid=2000' \
|
||||
--set 'server.dev.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
|
||||
[ "${actual}" = "2000" ]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -320,19 +320,19 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[5].name' | tee /dev/stderr)
|
||||
yq -r '.[6].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "FOO" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[5].value' | tee /dev/stderr)
|
||||
yq -r '.[6].value' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[6].name' | tee /dev/stderr)
|
||||
yq -r '.[7].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "FOOBAR" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[6].value' | tee /dev/stderr)
|
||||
yq -r '.[7].value' | tee /dev/stderr)
|
||||
[ "${actual}" = "foobar" ]
|
||||
}
|
||||
|
||||
|
|
@ -354,23 +354,23 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[5].name' | tee /dev/stderr)
|
||||
yq -r '.[6].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "ENV_FOO_0" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[5].valueFrom.secretKeyRef.name' | tee /dev/stderr)
|
||||
yq -r '.[6].valueFrom.secretKeyRef.name' | tee /dev/stderr)
|
||||
[ "${actual}" = "secret_name_0" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[5].valueFrom.secretKeyRef.key' | tee /dev/stderr)
|
||||
yq -r '.[6].valueFrom.secretKeyRef.key' | tee /dev/stderr)
|
||||
[ "${actual}" = "secret_key_0" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[6].name' | tee /dev/stderr)
|
||||
yq -r '.[7].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "ENV_FOO_1" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[6].valueFrom.secretKeyRef.name' | tee /dev/stderr)
|
||||
yq -r '.[7].valueFrom.secretKeyRef.name' | tee /dev/stderr)
|
||||
[ "${actual}" = "secret_name_1" ]
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[6].valueFrom.secretKeyRef.key' | tee /dev/stderr)
|
||||
yq -r '.[7].valueFrom.secretKeyRef.key' | tee /dev/stderr)
|
||||
[ "${actual}" = "secret_key_1" ]
|
||||
}
|
||||
|
||||
|
|
@ -506,3 +506,68 @@ load _helpers
|
|||
yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr)
|
||||
[ "${actual}" = "testing" ]
|
||||
}
|
||||
|
||||
#--------------------------------------------------------------------
|
||||
# Security Contexts
|
||||
@test "server/standalone-StatefulSet: uid default" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-statefulset.yaml \
|
||||
--set 'server.ha.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
|
||||
[ "${actual}" = "100" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: uid configurable" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-statefulset.yaml \
|
||||
--set 'server.uid=2000' \
|
||||
--set 'server.ha.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
|
||||
[ "${actual}" = "2000" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: gid default" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-statefulset.yaml \
|
||||
--set 'server.ha.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
|
||||
[ "${actual}" = "1000" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: gid configurable" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-statefulset.yaml \
|
||||
--set 'server.gid=2000' \
|
||||
--set 'server.ha.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
|
||||
[ "${actual}" = "2000" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: fsgroup default" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-statefulset.yaml \
|
||||
--set 'server.ha.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
|
||||
[ "${actual}" = "1000" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: fsgroup configurable" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-statefulset.yaml \
|
||||
--set 'server.gid=2000' \
|
||||
--set 'server.ha.enabled=true' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
|
||||
[ "${actual}" = "2000" ]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -305,19 +305,19 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[5].name' | tee /dev/stderr)
|
||||
yq -r '.[6].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "FOO" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[5].value' | tee /dev/stderr)
|
||||
yq -r '.[6].value' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[6].name' | tee /dev/stderr)
|
||||
yq -r '.[7].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "FOOBAR" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[6].value' | tee /dev/stderr)
|
||||
yq -r '.[7].value' | tee /dev/stderr)
|
||||
[ "${actual}" = "foobar" ]
|
||||
|
||||
local object=$(helm template \
|
||||
|
|
@ -328,19 +328,19 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[5].name' | tee /dev/stderr)
|
||||
yq -r '.[6].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "FOO" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[5].value' | tee /dev/stderr)
|
||||
yq -r '.[6].value' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[6].name' | tee /dev/stderr)
|
||||
yq -r '.[7].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "FOOBAR" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[6].value' | tee /dev/stderr)
|
||||
yq -r '.[7].value' | tee /dev/stderr)
|
||||
[ "${actual}" = "foobar" ]
|
||||
}
|
||||
|
||||
|
|
@ -532,3 +532,63 @@ load _helpers
|
|||
yq -r '.spec.template.metadata.labels.foo' | tee /dev/stderr)
|
||||
[ "${actual}" = "bar" ]
|
||||
}
|
||||
|
||||
|
||||
#--------------------------------------------------------------------
|
||||
# Security Contexts
|
||||
@test "server/standalone-StatefulSet: uid default" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-statefulset.yaml \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
|
||||
[ "${actual}" = "100" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: uid configurable" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-statefulset.yaml \
|
||||
--set 'server.uid=2000' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
|
||||
[ "${actual}" = "2000" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: gid default" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-statefulset.yaml \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
|
||||
[ "${actual}" = "1000" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: gid configurable" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-statefulset.yaml \
|
||||
--set 'server.gid=2000' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
|
||||
[ "${actual}" = "2000" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: fsgroup default" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-statefulset.yaml \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
|
||||
[ "${actual}" = "1000" ]
|
||||
}
|
||||
|
||||
@test "server/standalone-StatefulSet: fsgroup configurable" {
|
||||
cd `chart_dir`
|
||||
local actual=$(helm template \
|
||||
-x templates/server-statefulset.yaml \
|
||||
--set 'server.gid=2000' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
|
||||
[ "${actual}" = "2000" ]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -240,11 +240,6 @@ server:
|
|||
serviceaccount:
|
||||
annotations: {}
|
||||
|
||||
# mlock prevents memory from being swapped to disk. If swap is enabled this should
|
||||
# be true.
|
||||
mlock:
|
||||
enabled: true
|
||||
|
||||
# Vault UI
|
||||
ui:
|
||||
# True if you want to create a Service entry for the Vault UI.
|
||||
|
|
|
|||
Loading…
Reference in a new issue